The educational highlight for 2013 was completing my Masters project and gaining my MSc in ‘Distributed Systems and Networks’.

I also managed to attend a few interesting conferences including Infosec, F5, and Information Security Forum. Relevant notes from these events were uploaded to this blog throughout the year.

My education fail for the year was not getting round to taking my TOGAF exam. This is one of those things that looks like it may be career useful, but I am not particularly passionate about. I have completed the course and worked in environments where it is applied, so understand the framework and how to use it, however getting motivated to do the exam has failed to reach the top of my to-do list. I’ll see how this year goes, 2014 may be the year I get round to it.

Work wise it was all change in 2013 as well with my move from Canada Life to WorldPay in January. One of the best moves I have made, Canada Life was a pleasant place to work, but the slowest and least dynamic company I have ever been in.. Some people are very happy there, but it wasn’t for me! WorldPay is considerably more dynamic and being a payment processor places a high value on doing things securely which makes my roles as a security architect very rewarding.

There are a lot of changes happening at WorldPay so watch this space for updates on my career and where it si heading. One way or another I’ll definitely be staying the in the security field, and very likely architecture.

Which brings us nicely onto 2014..

From a work project perspective this year is still very much up in the air, some projects I definitely know about include;

– New SIEM solution unifying the log correlation solution across the business,

– Supporting the design and creation of a new Security Operations Centre,

– Setting up various avenues to better integrate security with the wider business so we can communicate better with stake holders and customers,

– Several other things not yet ready for disclosure but I will update on what I can throughout the year.

One of my main plans for this year is to get more involved with the business as I am pretty good at staying abreast of security and the technical side of things, but don’t always have as much involvement and awareness of the business as I perhaps could / should.

As a starter for 10, given that my last three role have been in the financial sector I have recently started reading the economist which is surprisingly interesting. I have also picked up a couple of projects such as the one mentioned above around communicating better with the business to aid this in my current role as well wider industry awareness.

Other than that 2014 will include my graduation ceremony, some conferences, and likely some further study. Time permitting I may also submit speaking proposals to a couple of conferences, but this is very much a maybe.

I’ll also be working to implement some more of the tips from the Productivity Ninja to aid planning and organisation.

I was reticent to write this post as it could turn into buzzword bingo, and who needs a post suggesting yet another acronym?

However I have been thinking recently that SIEM needs to expand, and the term seems to always get people stuck thinking of traditional / historical SIEM. not where it should be going.

Traditionally SIEM systems collect and analyse ‘security’ events. Now this is awesome if the attacker or malicious insider triggers a ‘security’ event. What if they don’t? The whole issue around the much discussed Advanced Persistent Threat (APT) thype of attack is that they have time, money and resources to ensure they do not trigger obvious security events.

In order to detect and understand the more subtle attacks, or those that are hidden amongst other attacks such as when a large DDoS is used as a diversion need much broader and more in-depth sources of data and correlation abilities than traditional SIEM installations.

As examples;

Consider malware installed under the context of an administrator that is not picked up by AV (this is easier than you think) then hides itself from general detection. The ops guys may notice an increase in CPU or RAM use on the server, but without the security viewpoint are unlikely to consider root-kit type malware.

Consider data being exfiltrated relatively slowly, increases in network traffic that are not related to a change, but also that cause no performance issues are very likely to be overlooked if only considered from an operational perspective, however this data being viewed from a security standpoint may warrant further investigation.

Consider data moving between systems where it would not normally move, or accounts logging on at unusual times or from unusual places – these may not generate specific security alerts, but can be much more easily spotted and flagged by a log correlation solution that sees everything in the environment.

To me the answer is obvious and has much wider benefits than just for security. SIEM solutions should no longer be in a silo collecting just security data, and operational log collection systems shouldn’t be just for IT operations. A single solution that collects basically all the logs and other pertinent information into some sort of ‘big data’ redundant and scalable storage back end (likely Hadoop based) will provide huge benefit to the organisation.

If the raw log data is also enriched with contextual information such as the CMDB, network information, threat feeds etc. the alerting can be moved from generic alerts to much more organisation specific and prioritised based on the real risk.

Logical separation (and physical if required) along with access controls and agreed roles and responsibilities can be used to ensure that different teams only have access to the data and reports they should, and cannot access data they are not supposed to.

Having a single tool for operations, security and likely business reporting is architecturally more simple, easier to support, and likely lower cost than having multiple tools.

So, the solution is obvious to me, but should it still be called SIEM? I think the security use case of the single log collection solution is likely still SIEM, but on steroids as it has so much more data to correlate and search across and likely much more powerful ways of doing this. However it must not be looked at in isolation and we have to get away from the outdated notion of just collecting and alerting on ‘security’ events.

As an example I was at a presentation recently around big data and SIEM and they did not once mention the broader use cases and benefits, the talk focused purely on the traditional SIEM model, just with a more data.

What do you think? Do we need a new term, if not, how do we move peoples thoughts forwards and away from only thinking of IEM in traditional terms?

This is a post I have been meaning to write for some while, as I have been pondering the benefits vs. challenges of various standards / legislation. I’m not thinking about challenges of implementing PCI-DSS (Payment Card Industry – Digital Security Standard), more the challenges of working in environments where compliance trumps security. As per the title, this post will focus on PCI-DSS, but I think it’s likely most of the issues will apply to various standards / regulations that are subject to compliance audits of some sort.

On the positive (blessing) side PCI-DSS is mostly a good standard, enforcing things like encryption in transit over public networks, separation of duties, minimising access to card data etc. It has forced some level of security practice onto companies that may previously have had relatively lax controls in place. The standard has also considerably raised the profile of security / meeting security requirements within many organisations.

On the negative (curse) side PCI-DSS is seen by many organisations as the be all and end all of security, despite the fact that is it the bare minimum you have to achieve in order to be permitted to handle / process card date. In addition it focuses almost solely on card data, ignoring concerns around things like PII (Personally Identifiable Information). This leads to a focus on ‘box-ticking’ compliance, rather than designing secure systems from the ground up which would by definition be compliant with most (any?) sensible standards.

With the movement towards a more continuos monitoring style proposed for the latest release of PCI-DSS the focus on obtaining compliance yearly may be something we are moving away from. However this will do little to address companies attitudes towards broader security and the belief that obtaining and maintaining PCI-DSS compliance means systems are completely secure.

On balance I think standards / regulations like PCI-DSS are a good thing as they force companies to at least achieve some minimal levels of security. The challenge for security professionals is to get project teams and the wider business to accept that these standards are the bare minimums. Considerably more secure designs / solutions need to be implemented if we want to actually meet our duty of care to our customers whose data we hold and process.

What are your thoughts?

How successful have you been in moving to security being ‘front and centre’ and compliance with regulations being a by product of this, rather than the focus being on compliance rather than security?

How the diverse and rapidly changing set of both structured and unstructured data can play a key role in identifying the increasingly sophisticated threats that organisations face.

Move from reactive to a more proactive stance by actively searching for indicators that something could be amiss.

As an example, the attacks earlier this year on the New York times when it ran a story about China’s prime minister;

Not detected for 4 months

45 different pieces of malware were used, with only 1 being picked up by AV

All employee passwords stolen

Computers of 53 employees accessed

University computers were used as proxies to hide the traffic source.

We have a greater need for security intelligence;

User identities

Assest discovery

Network flow

Vulnerabilities / risks

Security and threat feeds

Baselines of behaviour (system and user)

Unstructured data such as free text user inputs, feeds from social media, general news sources etc.

Attackers continuously adapting to leave minimal trace and hide their behaviour in the noise of ‘normal’ activity. Due to the potential huge volumes of data, these systems must be very scalable.

Traditionally SIEM type solutions have focussed on real time alerting that is Proactive, Formalised (standard queries / searches) and fast. This is great, but can it be in depth enough, and is real time attesting always required when searching for long term PAT style attacks?

Move towards adding more Asymmetric / Forensic type capabilities that are more Predictive, Inquisitive, and in depth. These require considerably more skill and in depth understanding to create, and the searches will be much more ‘custom’, but this is the best (only?) way to find the subtle and clever attackers, especially if doing so in a timely manner is required (it is!).

Current SIEM type security processes may look like;

This has a heavy focus on structured data and performing real time correlation to get to a potential incident to investigate.

Moving more into the ‘big data’ world we will enrich this with a lot more data sources, much of it unstructured;

This will potentially also take outputs from the traditional SIEM tool as one of the feeds and enrich them with other data. An example may be where something that may be an issue, but where there isn’t enough detail to act on in the SIEM, this could be added to the ‘big data’ solution and correlated with a much wider data set to find out if it could be a real issue.

The top part of the above diagram (Real-time Processing and Security Operations) is relatively similar to existing SIEM solutions, focusing on real time analysis and processing, just with a potentially larger data set.

The bottom right (Big Data Warehouse, Big Data Analytics and Forensics) focuses on the much more advanced, not real time analysis and forensic type investigations.

Context is key.

You must be able to derive security relevant semantics from elements of the raw data.

There must be the capability to distil the huge volumes of data down to useful and real insights.

Human knowledge must ba able to be added to the solution to improve processing and automate more tasks.

Another key area these tools can help with is in creating visualisations of attacks and suspicious behaviour. As they will have data from all the systems in the enterprise, along with various external feeds, they can provide visual representations of the behaviour as it moves into that through the organisation.

For me the key consideration is to have one ‘Big Data’ solution that collects all the relevant data for your organisation from traditional log files, through corporate emails to social media and threat feeds.

This also needs to move out of the security realm as people are talking ‘Big Data’ but in reality still have the traditional SIEM mindset. Running a tool like this for security, while the ops guys are also running logging and monitoring tools is massively wasteful in terms of cost, storage, management overhead, and also likely results in situations where some useful information only ends up in one tool, not both.

We need to move forwards to the mindset of an Enterprise ‘Big Data’ solution for sorting and correlating All the business data – logs, emails, external sources, user and system behaviours etc.etc. This solution then has different dashboards, reporting solutions, search headers or whatever for the different use cases such as ops, business users (system performance, investigating transaction issues etc.) and ops. Obviously areas like separation of duties and access controls must be considered here, but I believe this type of solution is the only way for this to really succeed and provide the best value for the business.

This was a very free flowing discussion, but I have tried to capture the main points that were made;

Thoughts on the state of the security industry today;

Quentyn – Things never change. Technologies change, but we still have the same issues as always. We seem to have a mentality of if I can just get the next best thing installed we’ll be secure. We are obsessed with the new – the next threat, the next big issue – these meant new technologies and new things to base next years budget on.

Focus on the basics. Verizon threat report – the vast majority of the issues are old and simple – related to patching etc. and not the latest advanced threats.

Look out for the new upcoming EU regulations.

Bruce – Some way things haven’t changed, some thing have.

Security is proving hard to sell.

Economic reason – It has got more complicated than the buyer can cope with. Many specialised, niche products that are hard to understand if you are not an expert in that specific area.

Psychological reason – Greed is a much better sell than fear. Security is fundamentally a fear sell. Other tricks are magazine awards and reviews.

Cloud may not be new, but it is new that everyone is using it. For cloud services we don’t ‘do’ security – we have to trust the vendors. What O/S does Facebook use? Do you know? Do you care? – you don’t have to, but you have to trust them. We have to trust the cloud vendors to be sensible, and this is fundamentally a law and regulatory issue, but there are some technologies coming along to help as well.

Without this trust things can go very wrong – since the recent NSA and encryption revelations, here have been many discussions around people doing their own thing for cryptographic solutions. Doing your own encryption is almost always a disaster, but a lock of trust makes people do silly things.

Quentyn – Comment on the fear sell, in the 60s politicians promised to get us to the moon, now politicians promise to avoid disaster.

If there is a disaster at your company, do people take it and learn from it, or do people get blamed and fired?

Evolution of the CSO role and the complexity of the technology – is the CSO a translator to the board?

Bruce – yes in a way, someone needs to, and the most senior security person is likely best placed. Communication skills are key. Risk management is key. Security is increasingly part of general risk management.

Quentyn – Dislikes the term CSO. Rarely does the CSO sit properly on the board in the same way as CFO, CEO, CIO etc. Is the role really C-level? Both agree it probably isn’t, and the C implies more than CSO / CISO really / usually is.

Securing the supply chain, what are we going to do about it?

Quentyn – A lot of security people don’t read the company reports etc. and don’t really understand in detail the business they work for, so how can they secure the supply chain?

Bruce – This is fundamentally a trust issue – I have to trust the companies that supply me to do their jobs, so the question is how do we get this assurance (audit details, contractual details, external assessments etc?) Do I need to include my supply chains audit reports in my overall audit report?

Quentyn – Example of Canadian bank discussion – we now have a requirement to audit, not to trust. Question is how to get this from large vendors.

Bruce – There needs to be enough demand, and legal regulations to enforce this and make large brands such as Microsoft produce public audit and compliance reports for their customers.

Quentyn – Other side of this is what the vendor / service provider has to loose. If a cloud provider, or mail processor or whoever is caught with someone in their business reading you data or mail, they stand to loose a huge amount of business if the trust in their service is lost.

Bruce – Largely agrees with this. Trust can be regulated especially with government examples such as a drivers license, a certificate in a Drs office.

Some more detail on the EU data protection act;

Quentyn – the fines for this are now capped at either 100Million Euro, or 5% or corporations global revenue – which ever is larger. This could mean huge fines for some breaches of this legislation.

Bruce – Reputation is a powerful reason for companies to act in a trust worthy manner, as well as fines.

Why is this a future issue, rather than the same as now

Bruce – if things are owned by you and run in house governments get less involved. When you are using multiple cloud companies and data plus processing is global, government will regulate the providers much more. This means more reliance on international laws, and getting better at combating international cybercrime. We do seem to be getting better at this. Yes there are bad actors and bad things happen, but things are no where near as bad as we (myself included) predicated. We all bank online, we all bank on our phones, and we all know better! However we do it because it’s actually relatively safe and we know this too.

Microsoft vs. Apple – we all thought it was better to have freedom to run what we want, yet Apple has less vulnerabilities than Microsoft. (no mentioned of historical user base etc.). However the downside of this is when Apple owns the device and manages the device, how do you know what is in memory? How do you know if files have really been deleted etc?

Discussion around mobile devices, use and Data

Bruce – The difference with phones is that while they are just small computers, you carry them all the time so they are more easily lost. He is more scared crossing boarders with his smartphone than any other device as with Apple, he has no visibility of what is really on the device or in the devices memory.

Where are we going with Apple vs. Android – which will win – controlled walled garden (Apple style) vs. openness and freedom.

Bruce – likely more control and less freedom, sadly. Users want security to be invisible, and don’t really care, us IT security types are not representative of normal users!

Quentyn – Agree’s, saw a headline about iPads not winning because IT managers don’t like them, he thought it was a joke headline..

Should security drive business decisions?

Bruce – No, we should influence them, but not drive them. And we are annoying.

Quentyn – we’re the no no no department.. But seriously, should influence and be involved, but not drive.

Were are we going, are things getting better?

Bruce – yes we are getting better, and we are improving at teaching security. However the problem is IT is expanding, so medical IT, cars, smart grid etc. are all learning the same painful issues – of course it’s secure, what do you mean you can hack a car? then they get hacked, then we have to secure them.

Quentyn – Think we need to wait 3-5 years to see if we are really improving. Dick Cheney has raised a concern that his pacemaker could be hacked as it has bluetooth!

Bruce – Likely if you ask the vendor why the pacemaker has bluetooth, the answer will be ‘because it was on the chip we used’..

Bruce – issues often caused wham computers added to physical world – e.g. we are adding IP stacks to medical devices introducing a host of vulnerabilities and attack vectors that were not there before. Imagine if your smart ridge got a virus – it wouldn’t be fun!

Five points / key trends to bring the discussion together;

Translator role between IT and business (CISO discussion)

Reputation and risk

Fines might work

Driving towards control – people will often give up control for convenience.

Building security in, especially as we add IT to more devices and features.

The number of breaches and issues over the last few years have helped security professionals prove that the bogeyman is indeed real and that there are many real threats to our organisations. These range from <potentially> government funded malware such as Stuxnet and Duqu, through to attacks against RSA, Sony etc. to denial of service attacks.

However just knowing about these is not enough, we need to be able to measure and quantify these threats in the context of our organisations. This is true for both emerging and realised threats.

Definitions, what is a cyber threat?

” The possibility of a malicious attempt to damage or disrupt a computer network or system” – Oxford dictionaries.

What a cyber threat is not;

Vulnerability or exploitability of a given technology or solution.

Likelihood of an event occurring

Risk to the organisation from a defined threat. (Risk is the product of analysing threat, vulnerability and impact).

Threat profiling is a tool / process that can be used to analyse a cyber threat.

This starts with identifying and classifying the threat;

The threat then needs to be measured in a meaningful and consistent way. In order to do this a threat scale of 1-10 was created that is made up from accumulated scores around whether the threat is real and current or upcoming, what mitigations are there against the threat etc. Threat impact categories from NIST are used. This is demonstrated in the below diagram;

To add detail and meaning to this score the items in the below diagram need to be considered to understand the scale of the threat, the motivation (how hard the attacker will try, for how long, and with what resources), and also the actions the threat would take e.g. the target of the threat.

This data can then be incorporated into a Threat Profile table to provide a consolidated view of the specific threat and it’s score. A slightly tongue in cheek example is shown below;

This talk links nicely with the earlier talk around the operational risk quantification process here;

This profiling could be used as part of or an addition to the risk assessment process. This would be one of the early steps in the are of understanding threats and what they are in order to then translate them into actual business risks.

A note on data sources;

For cyber threats, one of the best sources of data for your organisation is to engage with a mature cyber intelligence / threat intelligence service. These are costly but can provide very targeted intelligence that has links from criminal underground, government actors, social media, boards such as paste bin etc. and more general news sources.

Next to the above are more general sources of threat information such as various industry forums.

But also remember many other data sources can be used to add value such as

Intrusion Prevention / Detection system logs

Incident handling documentation

Human resources

Physical security assets

Security Information and Event Management (SIEM) systems

…

Some useful reading / guidance on this topic;

US National Institute of Standards and Technology (NIST) – Preliminary Cybersecurity Framework :

From a cyber / technical threat assessment perspective this presentation has some very good ideas and outputs a relatively simple, easy to use set of scores and information around threats. It doesn’t yet cover how to ‘chain’ multiple threats together, and does not cover turning it into something for general management / the board.

As mentioned, this would be a great starting point for the earlier process around quantifying operational risks.

Secure change by changing security; how to express security value to boards so they make it part of their change strategies

Presentation by Jamie Rees from Government of New Brunswick Canada

The process they followed is outlines below, along with some thoughts for what you can do to make use of this process;

Define;

The Challenge – For them this was around multiple boards and ensuring the CISO has access to all of these

The executive office – CISO – Managed to get the CISO onto all the boards (health authorities, transport, education etc.)

For you – define your challenges in your business – not ensure board representation? Politics? Lack of budget?

Prepare;

What do we want to tell the the board?

How do we get ready to tell them?

They created roadshows, had one on one discussions, practiced a lot – eve practicing in the actual rooms they would present in, made point to appear very professional.

Also created hand outs, collaboration sites, follow on messaging, got involved in local security events to raise profile, research online and magazines – be prepared for surprise questions. They even published an actual book of their architecture.

Everything they do is now vetted through the execs, no surprises on either side. Security now has a dedicated security architecture slide on the government strategy and EA roadmap.

They formalised the relationship between the risk and the outcome – link key operational items to the outcomes the board expect, this included results of threat and risk assessments, public body (ISF) health check results, number of outstanding security exceptions

The primary message is “risk exists and it threatens your expected outcomes in this way”

Bring Solutions!

The second message needs to be “if you are uncomfortable with the potential impacts on your outcomes, we have some solutions for reducing them”

Review;

What have we learned?

Welcome the regular 5-10 minutes on the board agenda over the 1 hour irregular meetings – this helps you become one of them, and keeps your issues at the top of their minds.

If they start talking amongst themselves – don’t interrupt, let them generate their understanding organically. It is their meeting, not yours, don’t try to ‘get them back on track’

This is valid information, and in line with other discussions on this topic. The main message is that we need to understand the key issues and concerns of our board. We then must translate security issues into language they understand and then relate these back to how they will impact the key concerns of the board.